![]() Examples of the non-proxy sources were from Russia-based Selena Telecom LLC, and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.Īs for locking down systems, the usual advice applies here: monitoring logs for IoCs, enforcing credential changes for compromised users, ensuring security products are configured correctly to detect ATOs, and implementing auto-remediation policies. Looking at the campaign's infrastructure, the attackers use proxy services set up close to their targets to evade geofencing policies and also local fixed-line internet service providers (ISPs). Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim.Ivanti discloses fifth vulnerability, doesn't credit researchers who found it.Europe's largest caravan club admits wide array of personal data potentially accessed.Jet engine dealer to major airlines discloses 'unauthorized activity'.Click on Security and account access, and then click Security. ![]() The sample phishing emails seen by researchers are said to be individualized to their target, directing them to what appears to be a shared document but the link instead redirects to a malicious phishing page.Īs security conscious Reg readers know only too well, being sent a link to a document from an unknown sender should immediately be a red flag for any user, even if it is personalized to the target, but the campaign's success rate shows that phishing attempts don't need to be especially sophisticated to achieve their goals. In the side menu, click More, then click Settings and privacy. While the phishing campaign remains ongoing, the researcher advised users to remain wary of all unexpected emails and exercise extreme caution when opening links – the usual stuff. A legitimate account, in theory, adds a greater sense of authenticity to an email and is less likely to trigger spam filters, potentially offering a greater chance of success.Įmail access was also abused to scan for secrets and perform lateral movement across the target organization, in addition to the numerous financial fraud attempts made by sending personalized messages targeting HR and finance departments.Īttackers would also add their own mailbox rules designed to mask their malicious activity. The attackers were spotted implementing their own MFA methods – an authenticator app is the preferred choice, it seems – but other techniques such as registering different phone numbers were also observed.Īrmed with full control of a legitimate business email account, the crims went on to launch internal and external phishing campaigns using the new identity. Other post-intrusion activities include attackers manipulating MFA to establish persistent access to systems after making the initial compromise. Under 'You can add more sign-in options,' tap Authenticator. On some devices, Security is located in the side menu. ![]() If at first you don’t get the Security tab, swipe through all tabs until you find it. Proofpoint hasn't officially attributed the attacks to a specific group, but some evidence points to them being possibly based in Russia and Nigeria. On your iPhone or iPad, go to your Google Account. My Signins: Indicates attempts made to manipulate MFA methods Office 365 Exchange Online: Suggests mailboxes were abused and data may have been stolen Office 365 Shell WCSS-Client: Indicates a browser was used to access Office 365 apps
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |